Type ref.null as exact (#7371)

`RefNull` expression now have type `(ref exact null bot)`, allowing them
to be used wherever a nullable exact reference is expected. Update the
fuzzer and fix a few bugs with exactness propagation this uncovers.

Author: tlively

scripts/test/fuzzing.py

@@ -108,6 +108,7 @@
     'remove-unused-types-exact.wast',
     'coalesce-locals-exact.wast',
     'remove-unused-brs-exact.wast',
+    'exact.wast',
 ]
 
 

src/ir/manipulation.h

@@ -40,10 +40,9 @@ template<typename InputType> inline Nop* nop(InputType* target) {
 }
 
 template<typename InputType>
-inline RefNull* refNull(InputType* target, Type type) {
-  assert(type.isNullable() && type.getHeapType().isBottom());
+inline RefNull* refNull(InputType* target, HeapType type) {
   auto* ret = convert<InputType, RefNull>(target);
-  ret->finalize(type);
+  ret->finalize(Type(type.getBottom(), Nullable, Exact));
   return ret;
 }
 

src/ir/type-updating.cpp

@@ -342,6 +342,7 @@ Type GlobalTypeRewriter::getTempType(Type type) {
   if (type.isRef()) {
     auto heapType = type.getHeapType();
     if (auto it = typeIndices.find(heapType); it != typeIndices.end()) {
+      // TODO: Handle exactness.
       return typeBuilder.getTempRefType(typeBuilder[it->second],
                                         type.getNullability());
     }

src/ir/type-updating.h

@@ -497,6 +497,7 @@ class TypeMapper : public GlobalTypeRewriter {
     auto heapType = type.getHeapType();
     auto iter = mapping.find(heapType);
     if (iter != mapping.end()) {
+      // TODO: Handle exactness.
       return getTempType(Type(iter->second, type.getNullability()));
     }
     return getTempType(type);

src/literal.h

@@ -243,7 +243,7 @@ class Literal {
     }
   }
   static Literal makeNull(HeapType type) {
-    return Literal(Type(type.getBottom(), Nullable));
+    return Literal(Type(type.getBottom(), Nullable, Exact));
   }
   static Literal makeFunc(Name func, HeapType type) {
     return Literal(func, type);

src/passes/OptimizeInstructions.cpp

@@ -2297,11 +2297,6 @@ struct OptimizeInstructions
           // we need to check exactness. We can replace the cast with a drop
           // followed by a direct return of the value, though.
           if (ref->type.isNull()) {
-            // TODO: Remove this once we type ref.null as exact.
-            if (needsExactCast) {
-              return;
-            }
-
             // We can materialize the resulting null value directly.
             //
             // The type must be nullable for us to do that, which it normally

src/tools/fuzzing.h

@@ -360,6 +360,10 @@ class TranslateToFuzzReader {
   // instruction for EH is supposed to exist only at the beginning of a 'catch'
   // block, so it shouldn't be moved around or deleted freely.
   bool canBeArbitrarilyReplaced(Expression* curr) {
+    // TODO: Remove this once we better support exact references.
+    if (curr->type.isExact()) {
+      return false;
+    }
     return curr->type.isDefaultable() &&
            !EHUtils::containsValidDanglingPop(curr);
   }
@@ -521,7 +525,9 @@ class TranslateToFuzzReader {
   Type getLoggableType();
   bool isLoggableType(Type type);
   Nullability getNullability();
+  Exactness getExactness();
   Nullability getSubType(Nullability nullability);
+  Exactness getSubType(Exactness exactness);
   HeapType getSubType(HeapType type);
   Type getSubType(Type type);
   Nullability getSuperType(Nullability nullability);

src/tools/fuzzing/fuzzing.cpp

@@ -1566,20 +1566,22 @@ void TranslateToFuzzReader::recombine(Function* func) {
       }
 
       std::vector<Type> ret;
-      auto heapType = type.getHeapType();
-      auto nullability = type.getNullability();
+      ret.push_back(type);
 
-      if (nullability == NonNullable) {
-        ret = getRelevantTypes(Type(heapType, Nullable));
+      if (type.isNonNullable()) {
+        auto nullable = getRelevantTypes(type.with(Nullable));
+        ret.insert(ret.end(), nullable.begin(), nullable.end());
+      }
+      if (type.isExact()) {
+        auto inexact = getRelevantTypes(type.with(Inexact));
+        ret.insert(ret.end(), inexact.begin(), inexact.end());
+        // Do not consider exact references to supertypes.
+        return ret;
       }
 
-      while (1) {
-        ret.push_back(Type(heapType, nullability));
-        auto super = heapType.getSuperType();
-        if (!super) {
-          break;
-        }
-        heapType = *super;
+      for (auto heapType = type.getHeapType().getSuperType(); heapType;
+           heapType = heapType->getSuperType()) {
+        ret.push_back(type.with(*heapType));
       }
 
       return ret;
@@ -4902,9 +4904,17 @@ static auto makeArrayBoundsCheck(Expression* ref,
                                  Function* func,
                                  Builder& builder,
                                  Expression* length = nullptr) {
-  auto tempRef = builder.addVar(func, ref->type);
+  // The reference might be a RefNull, in which case its type is exact. But we
+  // want to avoid creating exact-typed locals until we support them more widely
+  // in the fuzzer, so adjust the type. TODO: remove this once exact references
+  // are better supported.
+  Type refType = ref->type;
+  if (refType.isExact()) {
+    refType = refType.with(Inexact);
+  }
+  auto tempRef = builder.addVar(func, refType);
   auto tempIndex = builder.addVar(func, index->type);
-  auto* teeRef = builder.makeLocalTee(tempRef, ref, ref->type);
+  auto* teeRef = builder.makeLocalTee(tempRef, ref, refType);
   auto* teeIndex = builder.makeLocalTee(tempIndex, index, index->type);
   auto* getSize = builder.makeArrayLen(teeRef);
 
@@ -4931,7 +4941,7 @@ static auto makeArrayBoundsCheck(Expression* ref,
     // An additional use of the length, if it was provided.
     Expression* getLength = nullptr;
   } result = {builder.makeBinary(LtUInt32, effectiveIndex, getSize),
-              builder.makeLocalGet(tempRef, ref->type),
+              builder.makeLocalGet(tempRef, refType),
               builder.makeLocalGet(tempIndex, index->type),
               getLength};
   return result;
@@ -5320,13 +5330,37 @@ Nullability TranslateToFuzzReader::getNullability() {
   return Nullable;
 }
 
+Exactness TranslateToFuzzReader::getExactness() {
+  // Without GC, the only heap types are func and extern, neither of which is
+  // exactly inhabitable. To avoid introducing uninhabitable types, only
+  // generate exact references when GC is enabled. We don't need custom
+  // descriptors to be enabled even though that is the feature that introduces
+  // exact references because the binary writer can always generalize the exact
+  // reference types away.
+  //
+  // if (wasm.features.hasGC() && oneIn(8)) {
+  //   return Exact;
+  // }
+  //
+  // However, we cannot yet handle creating exact references in general, so for
+  // now we always generate inexact references when given the choice. TODO.
+  return Inexact;
+}
+
 Nullability TranslateToFuzzReader::getSubType(Nullability nullability) {
   if (nullability == NonNullable) {
     return NonNullable;
   }
   return getNullability();
 }
 
+Exactness TranslateToFuzzReader::getSubType(Exactness exactness) {
+  if (exactness == Exact) {
+    return Exact;
+  }
+  return getExactness();
+}
+
 HeapType TranslateToFuzzReader::getSubType(HeapType type) {
   if (oneIn(3)) {
     return type;
@@ -5418,9 +5452,18 @@ Type TranslateToFuzzReader::getSubType(Type type) {
     if (!funcContext && heapType.isMaybeShared(HeapType::exn)) {
       return type;
     }
-    heapType = getSubType(heapType);
+    if (type.isExact()) {
+      // The only other possible heap type is bottom, but we don't want to
+      // generate too many bottom types.
+      if (!heapType.isBottom() && oneIn(20)) {
+        heapType = heapType.getBottom();
+      }
+    } else {
+      heapType = getSubType(heapType);
+    }
     auto nullability = getSubType(type.getNullability());
-    auto subType = Type(heapType, nullability);
+    auto exactness = getSubType(type.getExactness());
+    auto subType = Type(heapType, nullability, exactness);
     // We don't want to emit lots of uninhabitable types like (ref none), so
     // avoid them with high probability. Specifically, if the original type was
     // inhabitable then return that; avoid adding more uninhabitability.

src/wasm-builder.h

@@ -670,11 +670,11 @@ class Builder {
   }
   RefNull* makeRefNull(HeapType type) {
     auto* ret = wasm.allocator.alloc<RefNull>();
-    ret->finalize(Type(type.getBottom(), Nullable));
+    ret->finalize(Type(type.getBottom(), Nullable, Exact));
     return ret;
   }
   RefNull* makeRefNull(Type type) {
-    assert(type.isNullable() && type.isNull());
+    assert(type.isNullable() && type.isNull() && type.isExact());
     auto* ret = wasm.allocator.alloc<RefNull>();
     ret->finalize(type);
     return ret;
@@ -1270,7 +1270,7 @@ class Builder {
       return makeConst(value);
     }
     if (value.isNull()) {
-      return makeRefNull(type);
+      return makeRefNull(type.getHeapType());
     }
     if (type.isFunction()) {
       return makeRefFunc(value.getFunc(), type.getHeapType());
@@ -1435,8 +1435,8 @@ class Builder {
       return maybeWrap(makeConstantExpression(Literal::makeZeros(curr->type)));
     }
     if (curr->type.isNullable()) {
-      return maybeWrap(ExpressionManipulator::refNull(
-        curr, Type(curr->type.getHeapType().getBottom(), Nullable)));
+      return maybeWrap(
+        ExpressionManipulator::refNull(curr, curr->type.getHeapType()));
     }
     if (curr->type.isRef() &&
         curr->type.getHeapType().isMaybeShared(HeapType::i31)) {

src/wasm/literal.cpp

@@ -72,7 +72,9 @@ Literal::Literal(const uint8_t init[16]) : type(Type::v128) {
 }
 
 Literal::Literal(std::shared_ptr<GCData> gcData, HeapType type)
-  : gcData(gcData), type(type, gcData ? NonNullable : Nullable) {
+  : gcData(gcData),
+    type(type, gcData ? NonNullable : Nullable, gcData ? Inexact : Exact) {
+  // TODO: Use exact types for more than just nulls.
   // The type must be a proper type for GC data: either a struct, array, or
   // string; or an externalized version of the same; or a null.
   assert((isData() && gcData) ||